1. Field of the Invention
The present invention relates generally to an improved data processing system and in particular to a method and apparatus for processing data. Still more particularly, the present invention relates to a computer implemented method, apparatus, and computer useable program code for storing audit events.
2. Description of the Related Art
Businesses often have to provide information to show compliance with different government regulations. These regulations include, for example, the Sarbanes-Oxley (SOX) Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Base II International Banking Code. Oftentimes, compliance with these and other regulations may be shown using information contained in audit logs maintained by information technology (IT) organizations. For compliance reasons, these audit logs often are maintained for years.
Audit logs are useful for checking the enforcement and effectiveness of information technology controls, accountability, and vulnerability, and/or risk analysis. An information technology organization also may use auditing of security related critical activities to aid in forensic investigations, such as security incidents that may occur. When a security incident occurs, an audit log enables an analysis of the history of activities that occurred prior to the security incident occurring. These activities include, who did what, when, where, and how. With the analysis of an audit log, appropriate corrective actions may be taken.
Audit logs are typically made available in relational databases to allow easy querying of the information by reporting programs or software to generate operational and trend reports. A trend report provides summarized audit data that allows an assessment of whether long term rises or falls in questionable activity has occurred. This type of report can help provide a “security pulse” for an organization. Operational audit reports detailed review of data to determine a cause of the security incident.
Based on how audit data is used, the management of audit data has a number of different requirements. For example, audit data often has to be collected and stored in large amounts for long periods of time.
Audit data may be archived for a long period of time, such as months or years, with archival scheduled on a regular basis. With this data, trend and operational reports may be produced on recent and archived audit data. Further, data may need to be used periodically for trend and operational audit reports. These reports may be generated on a daily or weekly basis depending on the particular organization and implementation. These types of reports may be produced by customers of the information technology organization using their reporting tool of choice.
Also, a process should be included that is tamper resistant, such that audit data may be secure when it is generated, transferred, and stored. Additionally, an ability to review audit logs for critical activities that occurred in the past also are important. For example, it may be desirable to determine what a selected user did one month prior to the current time period. Further, with these large amounts of data and the time periods for which they are kept, the collecting and pruning of audit logs should be configurable to take into account changes in configuration and policy for collecting and pruning this type of information.
Currently available audit storage systems encounter difficulties based on the large amount of data that has to be stored for a long period of time. Oftentimes, millions of records may be present that are required to be stored for years. Storing and querying this type of data is often difficult and unwieldy with currently used database management systems.